I want to create rule which will take output from one rule and use it in a new rule.
***********************************************************
Rule 1-
Select
event.time, ip.src, country.src, ip.dst, ip.dstport, action, event.desc
Where
event.desc contains "scanner" && device.class != 'Anti Virus'
Rule 2-
Select
event.time, ip.src, country.src, ip.dst, ip.dstport, action, event.desc
Where
ip.src = (Source IP address from Rule 1 output)
*********************************************************
Hope that is clear.
If you use ESA you will create a rules like:
Where scanner is:
and exploit is: